![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 37%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,586 questions
Azure Privileged Identity Management (PIM) allows you to manage, control, and monitor access to resources within Azure. However, PIM does not provide the functionality you are describing out of the box.
To implement the functionality you are describing, you could use Azure Policy to create a custom policy that requires justification for any write operations on subscriptions and resource groups. You could then assign this policy to the Owners and Contributors roles.
The policy would evaluate every write operation and prompt the user for a justification before allowing the operation to proceed. The justification would then be logged for auditing purposes.
To create this policy, you can use Azure Policy's "Deny" effect to block any write operations that do not include a justification. You can use the built-in Azure Policy definition "Audit write operations that don't include a justification" as a starting point, and modify it to meet your specific needs.
Once the policy is created, you can assign it to the Owners and Contributors roles using Azure RBAC (Role-Based Access Control). You can also configure email notifications or alerts to be sent to designated administrators when a write operation is denied due to a lack of justification.
Note that this approach requires some custom development work, but it can help you achieve the desired functionality.